Integrated firewall and VPN solutions ease administration of two important functions

Assets and threats to assets on the Internet are increasing at a staggering rate, so we must protect our networks from dangers both known and unknown. One popular tool for accomplishing this task is firewalls. These networking products have evolved a lot over the past several years. Simply blocking unwanted traffic and passing authorized traffic between networks isn't enough for today's firewalls. We expect more than just packet filtering. We want important security functions, such as Denial of Service (DoS) attack prevention and intrusion-detection systems.

Modern firewalls fall into one of two categories. Hardware-based firewalls (sometimes called appliances) use a particular hardware platform and a dedicated, proprietary OS. Software-based firewalls use standard hardware and a standard OS, such as Windows NT Server 4.0, that's been hardened (i.e., stripped of everything but the bare essentials in an effort to minimize security exposures). On top of the hardware and OS platform, both hardware-based and software-based firewalls run similar network-protecting firewall software.

Firewalls that offer a VPN component or option deserve special attention. Many companies deploy VPNs to secure communications between the corporate network and far-flung end users. Combining a VPN with a firewall in one solution makes administering the two functions easier.

I recently tested four popular software-based network firewalls that protect a network (not just a single workstation or server) and whose vendors also offer a VPN that integrates with the firewall. The products are Symantec's Raptor Firewall 6.5 with PowerVPN, NetGuard's GuardianPro 5.0 and Guardian IPSec VPN, Check Point Software Technologies' VPN-1 Gateway 4.1, and Computer Associates (CA's) eTrust Firewall 3.0 and eTrust VPN. Other software-based firewalls can work with third-party VPNs, but for this review, I selected single-vendor solutions. I invited Network Associates to submit for testing its Gauntlet Firewall and Gauntlet VPN, but the vendor declined to participate, saying it was gearing up for some changes to its product line.

Put to the Test
For the firewall server, I used a Compaq Professional Workstation with a 650MHz Pentium III processor, 192MB of RAM, a 6GB disk, and dual Intel Wake-On-LAN Ethernet adapters. I used several machines on the internal network to represent clients, ranging from a relatively powerful 650MHz Pentium III desktop to a 120MHz Pentium system. I used 300MHz Pentium II systems to simulate the VPN clients.

For each product I tested, I first installed NT 4.0 with the vendor's recommended service pack, then installed the firewall software. Some firewall products run on Windows 2000, but most don't because vendors know that many security administrators have a "wait-and-see" attitude about running a new OS or OS version on a perimeter server. Thus, I used NT 4.0 for an equal comparison of all the firewalls.

After I installed the software, I created a simple firewall policy that allowed full access for all inbound and outbound traffic and ran a few applications so that the firewall would generate log entries. I then constructed more elaborate security policies based on typical business scenarios, such as one that allowed HTTP traffic out while blocking all inbound traffic and another that allowed outbound traffic for the HTTP, SMTP, and DNS protocols. After building the policies, I used an application associated with each protocol for which I had defined rules to retest accessibility through the firewall. I then examined the firewall logs again to see how much help they would be in troubleshooting any potential problem. I also looked at the firewalls' realtime monitoring capabilities and VPN features.

Raptor Firewall 6.5 with PowerVPN
Some of the products I tested have been around a long time and show their maturity. The Raptor is one such product. Of all the firewalls I tested, this is the only one that uses Microsoft Management Console (MMC) as its front end. Raptor runs on NT Workstation, NT Server 4.0, and NT Server, Enterprise Edition (NTS/E). The Symantec Web site says a Win2K version is forthcoming. I didn't test the high-availability version that runs on Microsoft Cluster Services (MSCS).

Installing Raptor is easy. The total time from opening the software packaging to having an operative firewall was a little more than an hour, with one reboot. MMC wasn't installed on my system, so the installation process offered to perform this task for me, saving me from reaching for my NT installation CD-ROMs.

To work with Raptor, you open MMC and expand the Symantec and Raptor Management Console items, as Figure 1 shows. You can also install the Raptor Management Console elsewhere on your internal network and remotely manage one or more Raptor firewalls.

Raptor performs robust OS hardening, inserting a shim into the TCP/IP stack and disabling unnecessary services. When the firewall is running, it checks the system services every 60 seconds. If the firewall finds that an unwanted service has started, it shuts down that service. After I installed Raptor, I checked the listening ports and found Raptor's administrative port open on the external interface, but a quick call to technical support resolved the problem.

Raptor's approach to logging and monitoring firewall activity is superior to that of some other firewall products I tested. The software starts a new log each day and archives old logs to monthly folders that you can access from the management console. Monitoring current firewall connections was easy: I could double-click any connection in the log to get details about that connection. Suggestions for possible solutions accompany warning and error messages. One small annoyance is that a logged connection's source and destination information is buried within the rest of the text in the log entry. These important pieces of information should be in their own fields and sortable for easy troubleshooting. Raptor does, however, let you set log filters that you could use, for example, to find all the traffic coming from a given IP address.

Raptor's documentation can be frustrating. Features and commands are well indexed and well represented in the Table of Contents, but discussions of major concepts appear to be missing altogether. For example, the documentation doesn't explain Raptor's rule-processing order or provide any troubleshooting information. One documentation bright spot is site guides that help a new site's administrator document and plan the Raptor installation before getting started.

Raptor has built-in support for "black-hole" lists, which independent organizations maintain and make available on the Internet in an effort to thwart unsolicited commercial email (UCE). Black-hole lists name open relays (email servers that let anyone send mail). Raptor users can download these lists and configure them into the firewall, which will then prevent mail flow from any system on the lists.

The Raptor VPN product consists of two pieces. You can install the first piece, PowerVPN, along with the firewall product or on a separate server. You can set up site-to-site or user-to-site VPN tunnels. User-to-site connections use a second tunneling program, Raptor Mobile, which I found easy to use and connect.

Raptor Firewall 6.5 supports flexible service redirection. You can supply one IT address for multiple machines on the internal network. For example, you could define one address for inbound Web and FTP access and have Raptor redirect requests to two different internal machines. You could also use redirection to load-balance inbound traffic across several internal machines. And you could probably do away with your demilitarized zone (DMZ) configuration because Raptor's new redirection functionality performs the same task as most DMZ servers. (A DMZ is a small network that sits between the firewall and the Internet. A typical DMZ consists of unprotected DNS, Web, and email servers that relay traffic to the protected network.)

Raptor is easy to install and use. Firewall administrators will appreciate Raptor's MMC interface and its logging functions, especially when tracking down a specific connection or when taking action on a problem. Raptor's scalability sets it apart from many firewall products. Its clustering solution for high availability and its ability to offload VPN processing to a separate dedicated server firmly place this enterprise firewall product above the bar. Despite the minor difficulties with the documentation, Raptor is worthy of consideration by anyone shopping for an enterprise firewall product.

Raptor Firewall 6.5 with PowerVPN
Contact: Symantec * 301-258-5043
Web: http://www.symantec.com
Price: Firewall: $1995 for 25 users; VPN: $1995 for 25 users; integrated firewall and VPN: $2995 for 25 users
Decision Summary
Pros: Clustering version available; easy installation; strong hardening features; convenient logging and realtime monitoring of existing connections; built-in black-hole list support; flexible service redirection
Cons: Documentation doesn't cover major firewall topics, such as rule-processing order

GuardianPro 5.0 and Guardian IPSec VPN
GuardianPro offers a firewall, bandwidth management, and realtime monitoring in the same package. One of the veteran products on the market, GuardianPro uses its GuardianPro Explorer graphical front end to simplify the process of securing assets. Explorer's graphs and spreadsheet-style screens provide detailed information about the firewall's status and the traffic it's handling, as Figure 2 shows.

GuardianPro consists of two major software components: Agent and Manager. Agent is the actual firewall, which runs on NT Workstation or NT Server 4.0. Manager runs on Win2K Professional, Win2K Server, NT Workstation, and NT Server 4.0. A single Manager installation can administer multiple Agents on the network.

GuardianPro uses a strategy (a comprehensive set of user-defined rules) to protect assets and refers to users and assets as objects. GuardianPro Explorer has an Active Directory (AD) Import Wizard, which can attach to Win2K AD and import objects directly, simplifying the strategy-creation process.

GuardianPro's user manual is well organized and easy to read. The index is thorough, and important sections, such as those about installation and rule-processing order, are easy to find. However, rule creation isn't clearly documented, so understanding exactly how GuardianPro processes rules (a necessity when creating or modifying a strategy) is a bit difficult.

One of GuardianPro's most impressive features is the Firewall Strategy Wizard, which you access from GuardianPro Explorer. First-time users who are comfortable with firewall terminology can use the wizard to create their initial firewall strategy and fully configure the product. After installing GuardianPro, I used the wizard to get the firewall running in just minutes. After you create the first strategy, you can add or modify rules as necessary.

GuardianPro's approach to logging is also noteworthy. The product sports three mechanisms to bring important events to your attention: Logs, Alerts, and History. Logs chronicle GuardianPro system events. Alerts inform you about network-security events that require attention, such as a potential attempt to breach the network. History keeps a realtime summarized diary of packets that have crossed the firewall. History uses a spreadsheet format, so monitoring traffic and troubleshooting problems are easy.

Bandwidth management is another strong GuardianPro feature. You can assign a network device to one of three groups: Guaranteed, Priority, or Standby. You use the Guaranteed group for objects that require dedicated bandwidth, and you allocate fixed percentages of bandwidth to the other two groups. The percentages allocated to the Priority and Standby groups are portions of any bandwidth that the Guaranteed group isn't using. For example, if you have a 6Mbps Internet connection, objects (servers) in the Guaranteed category could potentially use all 6Mbps of bandwith. You could allocate 100 percent of any bandwidth not being used by Guaranteed devices to Priority devices. The Standby group is for low-priority applications that you want to restrict to running during certain hours. Within each bandwidth category, you can set 11 different priorities to further refine bandwidth allocation.

Remote clients can take advantage of Guardian IPSec VPN, which NetGuard delivers as an add-on PCI accelerator card with manager and client software. RedCreek Communications provides the accelerator card and Ravlin Node Manager product to manage the VPN architecture, but VPN traffic management is integrated directly into the GuardianPro firewall.

Establishing which combination of users, groups, and protocols can have VPN access is simple. You define rule sets for VPN traffic types the same way you configure any other firewall rule set. During my tests, I configured a highly tailored rule that gave specific remote-support-group users HTTP over Secure Sockets Layer (HTTPS) access to a mail server on the internal protected network. The configuration took no more than 30 seconds.

For environments in which authentication is necessary, GuardianPro uses SecurID, Remote Authentication Dial-In User Service (RADIUS), One-Time Password Authentication, S/Key, or an NT 4.0 domain password to support user authentication. GuardianPro also offers some built-in defenses for known attacks, such as SYN flood attacks, spoofing, and IP source routing.

GuardianPro is a strong contender at the enterprise level. The product is easy to use and to configure. A little training and exploration can enable even novice firewall administrators to keep a network secure with GuardianPro.

Guardianpro 5.0 and Guardian IPSec VPN
Contact: NetGuard * 972-738-6900
Web: http://www.netguard.com
Price: Firewall: $2480 for 25-user license; VPN: $1995 for 25 clients through May ($3000, beginning in June), and additional clients start at $100 with significant volume discounts available
Decision Summary
Pros: Simple, wizard-based configuration; bandwidth-management feature; realtime network monitoring and graphing; hardware-based VPN add-on offloads VPN processing from firewall system
Cons: Documentation doesn't clearly explain rule-processing order

VPN-1 Gateway 4.1
Check Point, the 800-pound gorilla of the software-based firewall industry, has updated its popular FireWall-1 product with a new look and new features. VPN-1 Gateway consists of FireWall-1 and Check Point's VPN-1 product. VPN-1 Gateway runs on NT 4.0 with Service Pack 6 (SP6) and earlier service packs; Sun Microsystems' Solaris 7.0 (32-bit mode only) and Solaris 2.6; Red Hat Software's Linux 6.1 and Linux 6.0; Hewlett-Packard's HP-UX 11.0 (32-bit mode only) and HP-UX 10.20; and IBM's AIX 4.3.3, AIX 4.3.2, and AIX 4.2.1. The firewall's graphical client runs on NT 4.0, Windows 9x, Solaris, HP-UX 10.20, and AIX.

The VPN-1 Gateway installation went smoothly, requiring me to make only a few choices and provide a license key, which I easily obtained from Check Point's licensing Web site through an automated process. After installation, though, I evaluated the firewall's default options and found that I still had to do some hardening on the firewall machine. The installation routine didn't offer any help with this process or any documentation explaining what was necessary. The measures required to secure a server change rapidly, and I consider these measures to be security best practices rather than firewall-hardening practices, so I wouldn't necessarily fault Check Point for not including firewall-hardening aids. You can find some guidelines for hardening FireWall-1 servers at http://www.phoneboy.com/fw1.

The Check Point custom GUI is separate from FireWall-1 and VPN-1, so you can manage these products remotely. When you configure the firewall and VPN gateway, you specify which clients can manage them. This distributed approach lets one or more firewall administrators manage one or more Check Point firewalls or VPN gateways.

Although I didn't find any wizards to help automate the process of defining firewall rules, manually defining rules was simple with Check Point's management GUI. The GUI's Policy Editor makes it easy to set one security policy to cover multiple firewalls and provide protection for multiple enforcement points on your network. A Check Point policy helps you uniformly apply your company's security guidelines. Policies contain rules, which allow or disallow traffic. For instance, you could restrict certain groups of users from using a multimedia service that eats up your bandwidth. You can also apply rules at certain times of the day. VPN-1 Gateway evaluates rules, including a few hidden ones, in order. Figure 3 shows the rules for the FireWall-1 Standard policy.

Maneuvering through FireWall-1's logs requires a bit of patience. By default, the product shows you the logs in real time, which is usually a good thing, but the FireWall-1 log viewer is painfully slow and displays IP addresses in their reverse-lookup formats. The logs are more manageable if you stop the realtime updates and disable reverse lookup. FireWall-1 also offers an optional Reporting Server solution that lets you consolidate log entries and generate useful reports based on logging data.

VPN-1 Gateway offers a new High Availability Module that integrates with FireWall-1 and VPN-1 and replaces the old synchronization method. Nodes in a Check Point cluster now communicate on one UDP port.

VPN-1 Gateway's approach to VPNs and remote clients is the best of all the products I tested because the client software can help protect against intrusion, as opposed to simply providing a secure connection to the firewall. The VPN-1 family of products includes two clients: VPN-1 SecuRemote, a typical VPN client; and VPN-1 SecureClient, which adds firewall features to SecuRemote. SecureClient is designed to protect remote users from attack, thereby preventing malicious users from hijacking innocent users' VPN connections. A secured-client approach is perfect for users most at risk, including those using Digital Subscriber Line (DSL), cable-modem, and other always-on technologies. To add firewall protection to remote clients, you simply select the Desktop Security option when you install VPN-1 Gateway and install SecureClient on the remote client.

VPN-1 supports public key infrastructure (PKI) products and services from many vendors, including popular certificate authorities such as VeriSign, Baltimore Technologies, and Entrust Technologies. You can offload CPU-intensive encryption operations to an optional VPN accelerator card to hike VPN-1's throughput.

Check Point's documentation is available on the product's CD-ROM in Adobe Acrobat PDF format, so you can easily search for topics, commands, and syntax. The documentation is thorough and well indexed. Concepts and command syntax are covered equally well.

VPN-1 Gateway is easily one of the top contenders in the software-based firewall category. The management tool's distributed approach makes VPN-1 Gateway a good choice for IT shops that need to both protect the network perimeter and segregate internal network traffic. In addition, VPN-1 SecureClient extends firewall features to remote clients. Unfortunately, VPN-1 Gateway misses the mark with its slow and unwieldy log viewer.

VPN-1 Gateway 4.1
Contact: Check Point Software Technologies * 650-628-2000
Web: http://www.checkpoint.com
Price: Firewall and VPN: $3495 for 25 protected IP addresses serving unlimited inbound connections; VPN-1 Accelerator Card costs $995; VPN-1 SecureClient starts at $40 per client
Decision Summary
Pros: GUI makes constructing rule set easy; one security policy covers the entire enterprise; integrated firewall/VPN service is easy to configure; VPN-1 SecureClient adds firewall protection to clients; good documentation
Cons: Log display is slow when parsing large log files; no wizards to help configure firewall rules

eTrust Firewall 3.0 and eTrust VPN
CA offers eTrust as its comprehensive enterprise firewall solution. Formerly known as GuardIT, this kernel-level firewall is a powerful component of CA's Unicenter TNG family, although you can use eTrust Firewall independently of Unicenter TNG. eTrust Firewall runs primarily on NT 4.0, but I ran the management tool on Win2K Pro.

After I installed the Unicenter TNG Framework, installing eTrust was a breeze and took only a couple of minutes. When you install the firewall-administration tool, eTrust also installs a Java runtime environment. Don't be put off because the administration tool is Java-based; I installed the eTrust administrator and Java runtime tool on a Win2K client behind the firewall and found the tool to be faster and more productive than other firewall administration tools in this review.

After I started the firewall and launched the administrator for the first time, I had to bind each NIC in the firewall to its corresponding virtual network. eTrust predefines three such virtual networks: a private internal network, an exposed DMZ network, and the Internet. Figure 4 shows the intuitive network diagram eTrust provides to assist in the binding process. You drag icons that represent the appropriate NICs from the tree in the left-hand pane onto the correct VPNs in the right-hand pane. After binding the interfaces, I could begin to create firewall rules.

CA's easy-to-use Internet Wizard is by far the most comprehensive wizard that I encountered in any of the products I reviewed. It helped me set up rules for external access and configure Network Address Translation (NAT) to redirect Web, DNS, email, and other services from the firewall to an internal machine. Sending the configuration to a firewall is as simple as right-clicking the firewall listed in the administration tool's tree and selecting the Deploy option, which causes eTrust to compile the rule base and update the firewall.

eTrust's logging features are a bit different from those of the other products I tested. For any given rule, you can set up a series of alerts. You can tie the alerts to an external program or interface to use your own custom notification alternative, or you can use Unicenter TNG's alerting functions. Within eTrust, you can click the alerts icon to display a log of recent alerts. To see a history of all connections, both passed and failed, you need to run one of several reports that eTrust includes. These reports can help you troubleshoot connections.

Online Help in eTrust is scarce. Most screens are devoid of any useful information. The FAQs on CA's Web site contain much more information than the online Help file does.

eTrust is unique in that you can delegate to administrators permissions for individual firewalls. Each firewall has a separate set of rules for inbound traffic, outbound traffic, and DMZ traffic. In addition to invoking a firewall's individual rule sets, eTrust applies a set of overriding rules before and a set of baseline rules after the individual rules. You can configure and use overriding rules to enforce a corporate policy on certain protocols and baseline rules as a minimum firewall policy. Each firewall also has a vulnerability scanner that examines the firewall host for potential vulnerabilities such as services and open ports.

CA's eTrust VPN doesn't become part of the firewall; instead, you install it directly on servers that users need access to. This standalone approach to VPN services lets you restrict VPN traffic to one port. eTrust VPN runs on NT 4.0, Win9x, Solaris 2.6 and later, AIX 4.3.3 and later, and HP-UX 11 and later.

The VPN is unique in another way too: It works in conjunction with PPTP, Layer 2 Tunneling Protocol (L2TP), and the IP Security (IPSec) protocols. Consequently, if you're already using these protocols, you don't need to change your entire infrastructure to accommodate the VPN and clients can use your existing authentication methods when attaching to a VPN-enabled server. In addition, eTrust VPN supports Triple Data Encryption Standard (3DES—168-bit) encryption.

Overall, eTrust Firewall is easy to use. Administrators thinking about deploying their first firewall or those who already have a Unicenter TNG deployment should seriously consider eTrust if its price is within their budget. The flexibility of the rule base combined with the Internet Wizard and the interaction with other CA components makes this a simple and wise choice for many enterprise environments.

eTrust Firewall 3.0 and eTrust VPN
Contact: Computer Associates * 631-342-5224
or 800-225-5224
Web: http://www.ca.com
Price: Firewall: $2999 for unlimited users and sessions; VPN: starts at $4000 per server administrator
Decision Summary:
Pros: Integrates with Unicenter TNG Framework; fast, Java-based management client; excellent configuration wizard; flexible rules
Cons: Poor online Help

A Couple Standouts
Each firewall I tested appears to adequately protect the internal network, and each product has its strong points. Table 1 shows a feature comparison of the four products. The four vendors take slightly different approaches to VPNs. You can use Symantec's software-based VPN with Raptor or another firewall running on a separate machine. NetGuard offers a hardware-based VPN in the form of a PCI accelerator card that you add to the firewall system; this approach helps free up system resources. Check Point integrates its software-based VPN directly into the firewall for access to systems on the internal network and offers a VPN accelerator card. CA designed eTrust VPN not to give clients access to the entire network but rather to give them access to specific systems on which the VPN is installed. This approach might appeal to shops that need a high level of control, but the base price of $4000 for one server is on the high side.

Symantec has clearly put a lot of effort into Raptor's daily management features. Raptor was an easy and fun product to use. eTrust offers a good management interface, an excellent configuration wizard, and a flexible rules approach.

VPN-1 Gateway is a solid product with a very attractive VPN client solution. VPN-1 SecureClient should meet with warm approval from security administrators. Throw in VPN-1 Gateway's high-availability feature and flexible rules, and this product stands tall. But GuardianPro really shines with its logging and alerting features, which make the life of a firewall administrator much easier.

Of the firewalls I tested for this review, my favorite is GuardianPro and Guardian IPSec VPN, with VPN-1 Gateway a close second. The Guardian solution does cost a bit more than VPN-1 Gateway, but I think its monitoring capabilities are worth the extra money. If the two firewalls' architectures fit your environment, be sure to give them both a close look.